The Road to Zero Day: Idea to Manuscript

My idea for writing Zero Day originates back in the early 2000’s. It was then that a string of new, explosive virus outbreaks brought malware to the public’s attention. The first automatically spreading virus, called a worm, was Happy99. It spammed an infected user’s contacts and when received simply wished the recipient a happy New Year in 1999 with a small fireworks display:

Several similar worms followed, including Melissa, ILOVEYOU, and the Anna Kournikova Virus.

Up to this point the viruses were simply a nuisance and only affected systems and networks as a side-effect. Code Red, which hit in mid-2001, was first in a quick succession of new fast-spreading worms that moved between computers by exploiting vulnerabilities in network applications and that caused significant disruption and financial damage. Code Red infected over 250,000 systems in 9 hours and Nimda (Admin spelled backward) spread so fast that it slowed the Internet and penetrated millions of systems within half an hour of its release.

2002 was relatively quiet, but 2003 was an active year for major attacks. It brought Slapper, Blaster, Sobig and Sober, each one crashing systems, shutting them down, or flooding networks and inboxes. SQL Slammer doubled in size every 8.5 seconds, infected 90% of vulnerable hosts within 10 minutes, and indirectly caused the shut down of 13,000 Bank of America ATMs.

2004 brought more of the same and in 2005 virus writers started leveraging rootkit techniques, which bury a virus deep in a system and cloak their presence from standard diagnostic and administration utilities. I even ran into a rootkit, one I discovered on a Sony music CD-ROM, that shot me into the mainstream press for my “15-seconds of fame”, including a brief appearance on the Today Show.

In all the cases where the perpetrator was identified, it turned out to be a lone hacker, sometimes a high school student. Imagine if a group of sophisticated hackers collaborated to develop a family of viruses that used new exploits to spread slowly, casting a wide net and running beneath the radar of the antimalware companies. And then imagine those viruses deleting the data on the systems they infected. It didn’t take much imagination to realize that malware would be an ideal weapon: low cost, nearly impossible to trace, and incredible destructive potential. It seemed the cybersecurity community was focused entirely on cybercrime with no focus on cyber war, or the even bigger threat created by the difficulty of retaliation, cyber-terrorism. I felt the need to raise awareness and thought there was no better way than to entertain in the process.

In early 2005, I sketched the characters and plot for Zero Day and began writing. I finished the first draft in mid-2006, about the time I joined Microsoft, and based on the feedback of friends and family was confident that it was as good as or better than many in the thriller genre I had read. The several books on novel writing I bought indicated that the next step was to find an agent. With my established technical credentials as a coauthor of the non-fiction Windows Internals book, the audience reach I had via my technical blog and the Sysinternals web site, and the notoriety the Sony rootkit story had brought me, I was sure I would have no trouble finding an agent eager to represent Zero Day.

While reading this book I wondered where the idea came from and if it was based on similar situations that you had been in. I can't wait for the next post and how you found the agent. Great work on Zero Day. Mark my words, it will be on the NYT Bestseller list.

I still remember installing Windows 2000 Server on a test machine when I first got my DSL connection back in 2001. If course Windows 2000 installed IIS by default, and as soon as the machine dialed PPPoE using its internal PCI DSL modem to go to Windows Update, it got hit with Code Red. It became very obvious why Microsoft went the route they did with Windows Server 2003 SP2 by enabling the firewall on a clean install and taking the minimalistic approach.
The IIS Lockdown Tool sure was welcome with Microsoft released it.